End of data losses no loss to NHS Lothian

Inspired by a recent data loss, NHS Lothian has signed a deal with security outfit Lumension to encrypt its data.

After a member of staff broke data guidelines by using a personal memory stick to carry patient details, and then losing it, the organisation decided policy alone was not sufficient to protect sensitive data, according to Martin Egan, director of eHealth with NHS Lothian.

"Given the significance of the risk and the likelihood of it, we believed we had to introduce a technological solution where we actually force policy rather than leave up to professionalism and individual choice," he said.

Egan had also been subject to calls for USB ports to be entirely blocked - but this is not an option, he told silicon.com.

"The IT architecture within health is fairly complex. We've even got scenarios where some of the more scientific departments have microscopes that connect by USB, so if we were just to shut off USB ports and say 'it's only my memory sticks and nothing else', we would bring certain parts of the organisation to its knees. That's why we need the granularity of 'that device is fine, that isn't'," he said.

After conducting a review with Northgate Information Solutions, NHS Lothian settled on Lumension as its security vendor on the grounds the company could supply a particular set of technologies it needed.

"One of the unique points and one that was really critical to us was the Lumension offering allowed you to have encryption in place without the user requiring administrative rights on the PC. We don't allow vast majority users to have local admin rights... There are a lot of products that work very similarly but the unique thing for Lumension was that it was the only one in [the] marketplace that met that requirement," Egan said.

Lumension Security's Sanctuary Device Control and Becrypt Disk & Connect will now be deployed to cover some 25,000 employees and 11,000 devices. The system will block unauthorised access to the Lothian system - a visitor bringing a USB stick for a presentation could connect the device but it would operate only as read-only - and encrypt any data being removed from the system without the user being aware of it.

Any bog standard memory stick can be used with the system, sparing the organisation the cost of buying specially encrypted drives, Egan said, and also allows NHS Lothian to gain greater control over its data.

"It allows us to mitigate risk [and] allows us to continue without too much disruption. They also have a very good reporting suite, which allows us to switch on and off functionality about what type [of] device is allowed to connect to USB ports," he added.